######################################################################## ############# Application: Novell Netware FTP Remote Stack Overflow Platforms: Novell Netware 6.5 SP8 Exploitation: Remote Code Execution CVE Number: CVE-2010-0625 Novell TID: 3238588 Discover Date: 2009-07-23 Author: Francis Provencher (Protek Research Lab's) Blog: http://www.protekresearchlab.com/ ######################################################################## ############# 1) Introduction 2) Report Timeline 3) Technical details 4) The Code ######################################################################## ############# =============== 1) Introduction =============== Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and changed computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients. (http://en.wikipedia.org/wiki/Novell) ######################################################################## ############# ============================ 2) Report Timeline ============================ 2010-01-25 Vendor Contact 2010-01-26 Vendor repsonse 2010-03-26 Coordinate release of this advisory ######################################################################## ############# ============================ 3) Technical details ============================ It's possible to overflow the stack and rewrite the EIP by sending a mkdir and a rmdir request with these special caracters "~A/" 320 time. The nlm version; NWFTPD.nlm Netware FTP Server Version 5.09.03 October 14 2008 The register; Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error code 00000000) Registers: CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010 EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001 ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4 EIP = 007E2F41 FLAGS = 00010282 Address (0x007E2F41) exceeds valid memory limit EIP in UNKNOWN memory area Access Location: 0x007E2F41 ######################################################################## ############# =========== 4) The Code =========== This issue can be trigger manually ######################################################################## ############# (PRL-2010-03)